From: David Lawale [David.Lawale@buildbase.co.uk]
Date: 8 December 2015 at 10:58
Subject: Updated Statement - 2323191
Hi,Please find attached copy updated statement as your account has 3 overdue incoices. Is there any reasons why they haven’t yet been paid?Kind RegardsDavidDavid Lawale | Credit Controller | BuildbaseHarvey Road, Basildon, Essex, SS13 1QJtel: +44(0)1268 590718 | fax: +44(0)1268 590077www.buildbase.co.uk
Attached is a file 151124142451_0001.xls which I have seen come in two versions so far (VirusTotal results [1] [2]). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan.
UPDATE 1
Automated analysis is inconclusive [1] [2] [3] [4] [5] [6]. It is possible that there is an error in the macro.
UPDATE 2
According to the comments in this post and also some other sources, the the macros download from:
gulteknoofis.com/76re459/98uy76t.exe
kinderdeszorns.de/76re459/98uy76t.exe
agencjareklamowalodz.com/76re459/98uy76t.exe
This has a detection rate of 4/55. According to these reports [1] [2] [3] and other sources, the malware phones home to:
216.189.52.147 (High Speed Web/Genesis 2 Networks, US)
23.113.113.105 (AT&T, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
78.47.66.169 (Hetzner, Germany)
MD5s:
0316dbd20fbfd5a098cd8af384ca950f
1b4283c8531653a5156911be1e6535
5a2140f864d98949d44945500a7d18
6ce6e2b915688f2b474e65813dc361
Recommended blocklist:
216.189.52.147
23.113.113.105
221.132.35.56
78.47.66.169
1 comment:
http://gulteknoofis.com/76re459/98uy76t.exe or http://agencjareklamowalodz.com/76re459/98uy76t.exe
https://www.virustotal.com/en/file/f32547b5bb4abe56e6ba6ba0676466735ce8aa50be4beb1d90e43438c7296030/analysis/1449575422/
Most automatic analysers didn't work on this one
joesandbox did
Post a Comment